Gate features requiring CSP unsafe-eval
on a non-default Cargo feature
#1647
Labels
help wanted
We could use some help fixing this issue!
js-sys
Issues related to the `js-sys` crate
web-sys
Issues related to the `web-sys` crate
Motivation
wasm-bindgen and its associated crates (
js_sys
,web_sys
, etc.) should be compatible with normal CSP configurations, i.e. ones that don't whitelistunsafe-eval
or unsafe-inline. Right now, it is too easy to accidentally to accidentally make a wasm-bindgen-based crate incompatible with good CSP practices. Further, it is hard to audit the internal implementation of wasm-bindgen and its associated crates for CSP problems. See #1641 for example.Proposed Solution
Create an
unsafe-eval
Cargo feature that controls access to theFunction
constructor, eval, and other features that result in JS that would requireunsafe-eval
. The feature shouldn't be marked as a default feature so that one can easily audit a depending crate's Cargo.toml to see if these features are in use. Instead, bump to the next incompatible version number since this is not a backward-compatible change. Test in CI the default configuration and the configuration with theunsafe-eval
feature enabled. Change the implementation of as many APIs as possible to work in the default (non-unsafe-eval
configuration, e.g.web_sys::window()
. This may require such APIs to be redesigned.The text was updated successfully, but these errors were encountered: